From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Fri, 19 Oct 2012 20:54:00 +0200
Subject: [refpolicy] [PATCH 7/7] Shorewall needs sys_admin capability for
	manipulating network stack
In-Reply-To: <1350672840-14590-1-git-send-email-sven.vermeulen@siphos.be>
References: <1350672840-14590-1-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1350672840-14590-8-git-send-email-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

In order to manipulate the network stack (for instance, through the
/proc/sys/net/ipv4/conf/*/rp_filter file for reverse path filtering), shorewall
needs the sys_admin capability.

If not, it fails with the error message "write error: Operation not permitted".

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 shorewall.te |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/shorewall.te b/shorewall.te
index 4723c6b..0f26ab1 100644
--- a/shorewall.te
+++ b/shorewall.te
@@ -37,7 +37,7 @@ logging_log_file(shorewall_log_t)
 # shorewall local policy
 #
 
-allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace };
+allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_admin sys_nice sys_ptrace };
 dontaudit shorewall_t self:capability sys_tty_config;
 allow shorewall_t self:fifo_file rw_fifo_file_perms;
 
-- 
1.7.8.6